Print      Open PDF Version of Online Help

Administering Oracle CRM On Demand > User Management and Access Controls > How Access Rights Are Determined > How Access Rights for Working with Primary Record-Type Records are Determined

How Access Rights for Working with Primary Record-Type Records are Determined

When a user tries to update, delete, or drill down to see more details on a primary record, Oracle CRM On Demand uses the following process to determine what actions the user can perform on the record:

• Oracle CRM On Demand determines the access levels granted by the access profile on the user’s role:
  • If the user is the owner of the record, the user’s owner access profile is used.
  • If the user is not the owner of the record, but the Can Read All Records option is selected for the record type on the user’s role, the user’s default access profile is used.
• Oracle CRM On Demand determines the access levels granted by each of the following access-control components:
  • The reporting hierarchy
  • Membership of custom books
  • User delegation
  • Team membership

More information about how Oracle CRM On Demand determines the access levels granted by the reporting hierarchy, membership of custom books, user delegation, and team membership is provided in the rest of this topic. Oracle CRM On Demand always uses the most permissive level of access from each of these access-control components, so keep this in mind when you create access profiles and assign them to users, books, and teams.

The combination of the access permissions for the record determines what actions the user can perform on the record. If the user has at least read-only access to the record, the record details are displayed. Otherwise, the user sees an error message.

Access Rights from the Reporting Hierarchy

To determine the access rights that can be granted through a user’s position in the reporting hierarchy, Oracle CRM On Demand considers the following for each subordinate of the user:

• If the subordinate is the owner of the record, Oracle CRM On Demand extracts the access level for the primary record type from the owner access profile of the current user.
• If the subordinate is a team member on the record, Oracle CRM On Demand extracts the access level for the primary record type from the access profile assigned to the subordinate as a team member.

NOTE: If the subordinate is not the record owner or a member of the team for the record, the subordinate does not contribute to the access calculation.

Oracle CRM On Demand then considers all of the access rights that subordinates contribute to the access calculation and calculates the most permissive access level that can be given to the user.

Access Rights from Membership of Custom Books

To determine the access rights that can be granted through a user’s membership of custom books, Oracle CRM On Demand considers the following:

• If the record is associated with a book, then Oracle CRM On Demand extracts the access level for the record type from the access profile assigned to the user who is a member of the book.
• If the record is associated with a child book in a book hierarchy with multiple levels, such as grandparent, parent, and child, then the access level is extracted as follows:
  • If the user is a member of all three books, then the access level is derived from the access profiles of the user from each of the grandparent, parent and child books.
  • If the user is a member of the grandparent book only, then the access level is derived from the access profile of the user from the grandparent book.

In all cases, if one or more of the access levels for the record is Inherit Primary, then the inherited access level of the primary record type is used. If more than one access level for the record is Inherit Primary, then a union of the inherited access levels of the primary record types from each access profile is used. Oracle CRM On Demand then considers all levels of access that book membership contributes to the final access calculation and determines the most permissive access level that can be given to the user.

Access Rights from User Delegation

To determine the access rights that can be granted through user delegation, Oracle CRM On Demand considers the following for each delegator (that is, each user for whom the current user is a delegate):

• If the delegator is the owner of the record, Oracle CRM On Demand extracts the access level for the primary record type from the owner access profile of the delegator.
• If the delegator is a team member on the record, Oracle CRM On Demand extracts the access level for the primary record type from the access profile assigned to the delegator in the team.
• If the subordinate of the delegator is the owner of the record, Oracle CRM On Demand extracts the access level for the primary record type from the owner access profile of the subordinate.
• If a subordinate of a delegator is a team member on the record, Oracle CRM On Demand extracts the access level for the primary record type from the access profile assigned to the subordinate in the team.

Oracle CRM On Demand then considers all levels of access that user delegation contributes to the access calculation and determines the most permissive access level that can be given to the user.

Access Rights from Team Membership

If the user is a team member on a record (but is not the owner of the record), Oracle CRM On Demand extracts the access level for the primary record type from the access profile on the user’s team membership.

Related Topics

See the following topics for related information:

• Access Profile Management
• Examples of Access Level Calculations
• Process of Setting Up Access Profiles